DNSSEC is the recommended DNS implementation to deploy on modern servers.

The intention behind DNSSEC was not to protect against attackers hijacking servers for reflection DDoS attacks, said researchers at network security firm Neustar. In addition, researchers said webmasters should deploy DNSSEC to protect against DNS hijacking and DNS cache poisoning attacks.

As companies started deploying this DNS protocol extension, network security firms began to see more attacks using this vector.

After seeing a rise in DNSSEC-based DDoS attacks itself, Neustar analyzed over 1,349 domains that use DNSSEC from just one industry vertical.

Neustar researchers discovered 1,084 of the analyzed domains contained vulnerabilities that allowed attackers to use DNSSEC to reflect and amplify their DDoS attacks.

Attackers send DNSSEC requests to a domain name server signed with the ANY command, which forces the DNSSEC server to gather all the DNS info about that domain and respond to the query, the researchers said.

Additionally, the server will attach its digital signature to the response, adding more weight to the DNS server response.

Because DNSSEC server queries can end up spoofed with a fake sender IP address, the attackers are tricking the server into responding to the victim’s IP address, sending junk traffic to the wrong person (the target of the DDoS attack).

Neustar said it costs an attacker only 80 bytes to send the initial DNSSEC query, but the server would reply (because of the ANY command) with a minimum of 2,313 bytes, the size of a basic ANY-based DNSSEC response.

Based on the information included in the response, the return packet would sometimes have a bigger size. Neustar reported seeing some servers responding to specific domains with responses as big as 17,377 bytes.

This means a DNSSEC-based reflection DDoS attack has a huge amplification factor. The range varied from 28.9 to 217.2. On the other hand, the average amplification factor for reflection DDoS attacks is around 10, making DNSSEC a clear-cut favorite for running such attacks.

Taking into account around 80 percent of DNSSEC servers are improperly configured, attackers have a huge attack surface to work with for their operations, which also explains why more and more DDoS tools will exploit it, as more DNS servers start deploying DNSSEC.

To mitigate the possibility of having their server hijacked for DDoS attacks, webmasters should configure DNSSEC servers to ignore DNS queries with the ANY parameter.